Skip to content

Commit

Permalink
move .search-acl-filter-* permissions to the right api key creation f…
Browse files Browse the repository at this point in the history
…unction (elastic#160457)

## Summary
I'd added this logic in elastic#159840
and turns out that was the wrong place to influence connector api keys.


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
  • Loading branch information
seanstory authored Jun 23, 2023
1 parent 1ee60b0 commit 8251481
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 30 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,7 @@ describe('createApiKey lib function', () => {
cluster: [],
index: [
{
names: [indexName, `.search-acl-filter-my-index`],
privileges: ['all'],
},
],
},
},
});
});

it('works with search-* prefixed indices', async () => {
await createApiKey(request, security, 'search-test', keyName);
expect(security.authc.apiKeys.create).toHaveBeenCalledWith(request, {
name: keyName,
role_descriptors: {
['search-test-key-role']: {
cluster: [],
index: [
{
names: ['search-test', `.search-acl-filter-test`],
names: [indexName],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,14 @@ export const createApiKey = async (
indexName: string,
keyName: string
) => {
// removes the "search-" prefix if present, and applies the new prefix
const aclIndexName = indexName.replace(/^(?:search-)?(.*)$/, '.search-acl-filter-$1');

return await security.authc.apiKeys.create(request, {
name: keyName,
role_descriptors: {
[`${toAlphanumeric(indexName)}-key-role`]: {
cluster: [],
index: [
{
names: [indexName, aclIndexName],
names: [indexName],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ describe('generateApiKey lib function', () => {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['index_name', '.search-acl-filter-index_name', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand All @@ -85,16 +85,16 @@ describe('generateApiKey lib function', () => {
}));

await expect(
generateApiKey(mockClient as unknown as IScopedClusterClient, 'index_name')
generateApiKey(mockClient as unknown as IScopedClusterClient, 'search-test')
).resolves.toEqual({ encoded: 'encoded', id: 'apiKeyId' });
expect(mockClient.asCurrentUser.security.createApiKey).toHaveBeenCalledWith({
name: 'index_name-connector',
name: 'search-test-connector',
role_descriptors: {
['index-name-connector-role']: {
['search-test-connector-role']: {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['search-test', '.search-acl-filter-test', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down Expand Up @@ -141,7 +141,7 @@ describe('generateApiKey lib function', () => {
cluster: ['monitor'],
index: [
{
names: ['index_name', `${CONNECTORS_INDEX}*`],
names: ['index_name', '.search-acl-filter-index_name', `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,17 @@ import { ConnectorDocument } from '../../../common/types/connectors';
import { toAlphanumeric } from '../../../common/utils/to_alphanumeric';

export const generateApiKey = async (client: IScopedClusterClient, indexName: string) => {
// removes the "search-" prefix if present, and applies the new prefix
const aclIndexName = indexName.replace(/^(?:search-)?(.*)$/, '.search-acl-filter-$1');

const apiKeyResult = await client.asCurrentUser.security.createApiKey({
name: `${indexName}-connector`,
role_descriptors: {
[`${toAlphanumeric(indexName)}-connector-role`]: {
cluster: ['monitor'],
index: [
{
names: [indexName, `${CONNECTORS_INDEX}*`],
names: [indexName, aclIndexName, `${CONNECTORS_INDEX}*`],
privileges: ['all'],
},
],
Expand Down

0 comments on commit 8251481

Please sign in to comment.